KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e80725005f4ebc015f50faf3b42df1cf63327a23
football/docs/COMPLIANCE.md
reachableceo 94abcfffda fix: resolve 11 test failures, clean up stale files, add NVMe build cache 
Test Fixes:
- Fixed grep regex matching `test:iso)` instead of `iso|iso:demo)` by
  using `grep -F` for literal string matching in 3 test files
- Increased grep context from -A 5 to -A 15 for FDE reference tests
  since FDE mention is 9+ lines into the iso command block

Stale Files:
- Deleted test-iso.sh (merged into run.sh in Session 4)
- Deleted verify.sh (orphaned, never referenced anywhere)

Documentation:
- Fixed stale test file references in COMPLIANCE.md
- Updated TEST-COVERAGE.md to remove "delegates to test-iso.sh"
- Added JOURNAL.md entry with full audit findings
- Updated STATUS.md timestamp

NVMe Build Cache (from previous session, was uncommitted):
- Added Docker volume `knel-football-cache` for build caching
- Added `clean:cache` and `cache` commands to run.sh
- Cache preserves bootstrap + package downloads between builds

Test Results: 786 pass, 0 fail, 16 VM skip

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 07:51:56 -05:00

6.8 KiB
Raw Blame History

KNEL-Football Compliance Matrix

Overview

This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.

Copyright © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only

Compliance Frameworks

  • CMMC Level 3 - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
  • FedRAMP LI-SaaS - For RackRental.net federal government product
  • DISA STIG - Debian STIG requirements (adapted from Debian 11 to Debian 13)
  • CIS Benchmarks - Center for Internet Security Debian Linux Benchmark

Security Controls Mapping

Network Security

Control STIG ID CIS Control Implementation Hook/Script Status
WiFi Module Blacklisting N/A (custom) 4.8 Kernel module blacklisting config/hooks/live/security-hardening.sh
Bluetooth Module Blacklisting N/A (custom) 4.8 Kernel module blacklisting config/hooks/live/security-hardening.sh
Default Deny Firewall RHEL-08-040020 4.4 nftables with deny all policy config/hooks/live/firewall-setup.sh
WireGuard-Only Network Access N/A (custom) 4.4 Dynamic firewall rules src/firewall-setup.sh

System Hardening

Control STIG ID CIS Control Implementation Hook/Script Status
SSH Client-Only RHEL-08-010000 5.2 Client config, no server src/security-hardening.sh
Password Policy RHEL-08-020200 5.1 pwquality.conf with 14-char minimum src/security-hardening.sh
System Resource Limits RHEL-08-040123 5.3 limits.d/security.conf src/security-hardening.sh
File Permissions RHEL-08-040040 3.3 Secure file permissions src/security-hardening.sh

Logging and Monitoring

Control STIG ID CIS Control Implementation Hook/Script Status
Audit Daemon RHEL-08-030160 6.2 auditd configuration config/hooks/live/security-hardening.sh
System Logging RHEL-08-030590 6.1 rsyslog configuration package-lists/knel-football.list.chroot
Audit Rules RHEL-08-030652 6.2 Custom audit rules src/security-hardening.sh

Package Management

Control STIG ID CIS Control Implementation Hook/Script Status
Disable Package Management N/A (custom) 2.1 chmod + chattr on package tools config/hooks/installed/disable-package-management.sh
Clean Package Metadata N/A (custom) 2.1 Remove /var/lib/apt /var/lib/dpkg config/hooks/installed/disable-package-management.sh

Access Control

Control STIG ID CIS Control Implementation Hook/Script Status
Sudo Group Configuration RHEL-08-010300 5.4 User added to sudo group config/hooks/installed/install-scripts.sh
Hide Usernames in Display Manager N/A (custom) 5.7 LightDM privacy configuration config/hooks/live/desktop-environment.sh
No Auto-Login RHEL-08-020010 5.7 LightDM manual login only config/hooks/live/desktop-environment.sh

Boot Security

Control STIG ID CIS Control Implementation Hook/Script Status
UEFI Boot Only RHEL-08-010240 4.1 ISO build configuration config/config
Secure Boot Support RHEL-08-010240 4.1 grub-efi-amd64-bin Dockerfile

Compliance Validation Tests

Automated Tests

Test Type Test File Validation Target Coverage
Unit Tests tests/unit/firewall-setup_test.bats Firewall configuration parsing 🔧
Unit Tests tests/unit/security-hardening_test.bats Security hardening functions 🔧
Unit Tests tests/unit/build-iso_comprehensive_test.bats Build process functions 🔧
Integration Tests tests/integration/config_test.bats Configuration file validation 🌐
Security Tests tests/security/compliance_test.bats Compliance verification 🔒

In-ISO Validation

The built ISO includes test capabilities for post-installation validation:

# Run compliance validation on installed system
/usr/local/bin/knel-compliance-check.sh

Compliance Evidence

Documentation

  • COMPLIANCE.md - This compliance matrix
  • security-model.md - Detailed security architecture
  • architecture.md - System design and threat model

Build Artifacts

  • Configuration Files - All security configurations in version control
  • Hook Scripts - Automated application of security controls
  • Test Suite - Automated validation of compliance requirements
  • ISO Image - Fully compliant, hardened operating system

Verification Process

  1. Pre-Build Validation - Tests run before ISO creation
  2. Build-Time Validation - Hooks verify configuration application
  3. Post-Install Validation - Compliance testing in live environment
  4. Security Audit - Regular security reviews and penetration testing

Security Controls Summary

Network Controls

  • WiFi and Bluetooth permanently disabled via kernel module blacklisting

  • Default deny firewall policy with nftables

  • WireGuard-only network access with dynamic configuration

  • USB automount support for secure configuration transfer

  • Minimal desktop with IceWM and privacy-focused LightDM

  • SSH client-only (no server, no inbound access)

  • Strong password policy (14 characters minimum)

  • Comprehensive audit logging with auditd

  • Package management disabled for immutable system

Access Controls

  • No auto-login, usernames hidden in display manager
  • Sudo group configuration for administrative access
  • System resource limits and security constraints
  • File permissions hardened according to CIS benchmarks

Compliance Status

Framework Status Notes
CMMC Level 3 Compliant All required controls implemented
FedRAMP LI-SaaS Compliant Baseline security controls in place
DISA STIG Compliant Debian 13 STIG adaptation
CIS Benchmarks Compliant Industry best practices implemented

Copyright © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only

This compliance matrix is maintained as part of the KNEL-Football project and is updated whenever security requirements change or new controls are implemented.

Reference in New Issue View Git Blame Copy Permalink